Breach in healthcare data: One step too far

I am an Anthem customer, and according to CSO, “One in nine Americans have medical coverage through one of Anthem’s affiliated plans.”

It is not just the scope of the Anthem breach that feels different. Healthcare insurance is an important fabric of life and cuts much closer into our personal boundaries than the high-profile retail breaches of 2014. While Anthem claims no healthcare data was exfiltrated, the fact remains it certainly could have been. The loss of personal data is enough to make this attack…well…personal. Which in turn heightens the notion of being a victim.

I work in IT security, so I know the risks of putting down my credit card either at a cash register or over the web. I had to change credit card numbers numerous times in 2014, but I accept the risks of using my cards and make the conscious decision to do so. Notification of my credit card being compromised is acceptable risk.

Healthcare data is different. What I buy at a store is far less intrusive than having someone know what medicines I take, my triglyceride level, or when I had my knee scoped. Personal circumstances make healthcare insurance a critical part of my life and my compensation. It is not an option for me. So the necessity of the relationship and the personal nature of the data make the contract with Anthem feel somehow deeper than my relationship with a retailer or my card provider.

It will be interesting to see the Anthem breach play out over time. Based on my reading, there appears to be no exotic tradecraft applied to Anthem. No Stuxnet-level advanced persistent threat (APT). Instead, early reports have persistent social engineering and privilege escalation as the culprits. Not much technical news.

Yet the Anthem breach already feels unusual. The narrative is somehow more personal and certainly more pervasive. Will the emotional aspect make this a milestone breach in the IT security historical narrative? Time will tell. I know this time it is certainly different for me.